Security handbook · Resilience & Suppliers

Last reviewed: 12 June 2026

Mailbuttons depends on a small set of carefully chosen suppliers to deliver its Agent Mail API, and the security of customer data depends partly on them. This policy sets out how we vet, contract with, monitor and offboard those suppliers.

Purpose and scope

This policy defines how Code Cutter Limited (trading as Mailbuttons) manages information security in its supplier and sub-processor relationships. It applies to any supplier that hosts, processes, transmits or could access Mailbuttons or customer data. It aligns with ISO/IEC 27001:2022 Annex A controls 5.19–5.22 (supplier relationships, addressing security within agreements, the ICT supply chain, and monitoring and change management of supplier services) and 5.23 (security for cloud services).

Policy

Vetting before engagement. Before engaging a supplier that may handle data, we assess its security posture, relevant certifications (for example ISO/IEC 27001 or SOC 2), data residency, sub-processing arrangements and incident-notification commitments. The assessment is proportionate to the sensitivity of the data involved.

Contracts and data protection. Where a supplier processes personal data on our behalf, we put a data processing agreement in place setting out processing scope, confidentiality, security measures, sub-processing and breach notification. For transfers outside the UK/EEA, we require an appropriate transfer mechanism such as Standard Contractual Clauses with the UK International Data Transfer Addendum.

Data residency preference. We prefer UK/EEA data residency and keep customer data in the UK/EEA by default. Transfers beyond this perimeter are the exception, are justified, and are protected by the safeguards above.

Canonical sub-processor list. We maintain the authoritative list of sub-processors on our Trust Center at /trust#sub-processors. Our current suppliers and roles are:

  • Fasthosts Internet Ltd (UK) — VPS hosting for production infrastructure.
  • Cloudflare Inc — DNS and edge network.
  • Anthropic PBC (US) — LLM inference, opt-in only, under Standard Contractual Clauses, and not used to train models.
  • Backblaze Inc (EU, Amsterdam) — off-site backup storage, encrypted client-side with a key we control.
  • Stripe (UK/EU) — payment processing.
  • Stalwart Labs — email server software, self-operated by us.

Advance notice and right to object. We give customers at least 30 days' written notice before adding a new sub-processor. Customers may object during that period; we work in good faith to address reasonable objections.

Periodic re-assessment. We re-assess suppliers at least annually, or sooner on a material change to their service, security posture or sub-processing, or following a relevant incident. We monitor supplier security advisories and status communications.

Secure offboarding. When a supplier relationship ends, we ensure our data is returned or securely deleted in line with the agreement, revoke the supplier's access and credentials, remove the supplier from the sub-processor list with appropriate customer notice, and confirm completion in writing where practical.

Responsibilities

The ISMS Owner is accountable for the supplier programme: vetting and approving suppliers, ensuring contracts and transfer safeguards are in place, maintaining the sub-processor list and customer notifications, conducting re-assessments, and managing secure offboarding. Suppliers are expected to meet their contractual security and notification obligations.

Review

This policy is reviewed at least annually and after any material change, and is approved by the ISMS Owner.

Related: Incident Response Policy, Business Continuity and Disaster Recovery Policy, Physical and Environmental Security Policy